I've long been puzzled by the enthusiasm many people have for password managers such as LastPass, which is my choice. Every once in a while I come across a situation in which I breathe a great sigh of relief knowing that I didn't commit myself completely to a password manager. A few minutes ago is an example. I went to log on to Syncplicity. Normally LastPass would enter my ID and password automatically. However, suddenly, Syncplicity changed their logon screen. Now it asks only for my ID on a first screen. LastPass doesn't recognize the new logon screen and fails to enter anything. After entering my ID manually, the screen is redrawn and asks for my password. Again, LastPass fails to enter anything. I am happy that I have used a low-level password there that I can remember easily. If I had used one more difficult to remember or, heaven forbid, allowed LastPass to create one for me, something truly random-looking, I would be totally at the mercy of LastPass. At this stage, I could go to my "vault" on the LastPass site and look up the password. But if something happened to LastPass or its site, I would be barred from Syncplicity forever.

I think passwords are a terrible measure for security. If you get too fancy with them in an effort to achieve ultimate security, you put yourself at risk of losing access to your data. If you use simple passwords, or re-use the same one at multiple sites, you put yourself at risk of being hacked.

I've experienced this with other sites too, apparently some websites think there is a security feature in presenting the User ID first. I have to disaggree that LastPass cannot handle this - If the URL is correct and the web site certificate has not be stolen or hacked; Lastpass will dutifully enter the user ID - So I simply click Enter, and LastPass enters the password and voila!

The only concern I have with LastPass is when I'm entering the console password, the only one you need to enter - if there is no SSL session in force at that time, Rapport may not be able to block any keyloggers or screencapture malware onboard. Since I enter my passwords in more than just browsers, I like to use LastPass on those too, so I use Keyscrambler to at least obfuscate the console password. Unfortunately then you have to rely on Keyscramber for keyloggers. Turning off Keyscramber, and then enable keylog blocking in Rapport, and only entering the console password during an SSL session, would be better. That way, as long as I have LastPass set to remain logged in with the many granular settings, I wouldn't have to do it again for a while. Using CCleaner on limited accounts will eliminate most contracted malware temporarily anyway, and can make any session safer during vulnerable events.

LastPass can recognize when you are at the wrong URL and I've been getting popups when trying to enter into non SSL windows that don't encrypt login credentials. I'm not sure if it is LastPass warning me or my Comodo Dragon browser, but not all passwords out there are critical for security so I don't worry about them unless I was trying to log on to a shopping or banking site. Lastpass will not enter the credentials to the wrong URL or SSL certificate; so I realized each time that happened that I was redirected to a poser site. It has saved my bacon more than once! WOT can help in this endeavor, too, as it sometimes knows when you have stumbled onto a disreputable site and will block it. MBAM will also block any out going to a malicious site, and will block any incoming from such also. This - I'm sure has save many an individual from letting out their personal data.

The blended defense is the only way now-a-days. I've only mentioned the tip of the security solution iceberg!

I agree with you... up to a point. I've been using KeePass for many years on an encrypted USB stick (backed up to an identical encrypted USB stick).

More recently I've been using MiniKeePass on my iPhone and no longer use my encrypted USB stick for password storage. Not only do I use KeePass and now MiniKeePass to store website login and password details but loads of other data (bank account details, security door codes, remote access passwords, software license keys, etc.).

I've now been using LastPass for about 6 months and like its simplicity. Following a suggestion by ruirib I'm going to look into the benefits of a paid version of LastPass for mobile use for simplicity's sake.

However, I suspect I may continue to use KeePass (and MiniKeePass) because so much more can be stored in it than just online login/password data.

Hope this helps...

(PS - For anyone who worries about the 'crackability' of their passwords, try checking them at GRC's Password Checker.)

I agree with you... up to a point. I've been using KeePass for many years on an encrypted USB stick (backed up to an identical encrypted USB stick).

More recently I've been using MiniKeepPass on my iPhone and no longer use my encrypted USB stick for password storage. Not only do I use KeePass and now MiniKeePass to store website login and password details but loads of other data (bank account details, security door codes, remote access passwords, software license keys, etc.).

I've now been using LastPass for about 6 months and like its simplicity. Following a suggestion by ruirib I'm going to look into the benefits of a paid version of LastPass for mobile use for simplicity's sake.

However, I suspect I may continue to use KeePass (and MiniKeePass) because so much more can be stored in it than just online login/password data.

Hope this helps...

(PS - For anyone who worries about the 'crackability' of their passwords, try checking them at GRC's Password Checker.)

Rick,

LastPass allows you to save Secure Notes, for which you can even force anyone to wanting to access them to insert your LastPass password again. All the Secure Notes are kept encrypted, just like the passwords.
This means that LastPass can be used to keep other important info, not just passwords, so if you use it, it seems you won't need KeePass.

LastPass allows you to save Secure Notes, for which you can even force anyone to wanting to access them to insert your LastPass password again. All the Secure Notes are kept encrypted, just like the passwords.
This means that LastPass can be used to keep other important info, not just passwords, so if you use it, it seems you won't need KeePass.

Thank you, Rui. After reading up on the advantages, I've signed up to LastPass Premium (and Xmarks Premium). Now just have to download/install them both everywhere.

The Following User Says Thank You to ruirib For This Useful Post:

I have been using LastPass for a couple of years, with no complaints.
I would like to check something about how it works, from the more knowledgeable folks here.

I believe that there is an encrypted copy of my vault stored at LastPass.
In addition, there is a local copy of my vault stored on my laptop, where I use it frequently. In fact, that local copy is how LP can still tell me about my userids and passwords even when I am not connected to any network at all, right?

Now, on rare occasions, I use my wife's laptop, which is setup for two users. So I log in to my own username on that machine (it is Windows XP at the moment, will be Win 7 soon), then use the installed copy of LastPass to sign in to some website. I think it UPDATES the local copy of the vault at that time, thus keeping the vault synchronized at all three places (LP server, my laptop, her laptop).

This is certainly interesting, but what happens when one loses the physical YubiKey?

Originally Posted by Essjay

STrange I don't see that anyone has mentioned Yubikey. Used in conjunction with lastpass and properly set up It is impregnable. And a darn site easier the TFA/ Well as long as you dont lose your yubikey. I cannot get into my LP account without Yubikey from anywhere, especially my phone.
I really wish access to my phone was tied to my Yubi as well but thats another story.
Yubikey anyone?
sj

I used Roboform for years with my "Lifetime license" that I purchased to support them... Until they decided that my Lifetime had apparently outlived their usefulness. They upgraded their software and demanded additional yearly payments, even from their previously loyal users. I continued to use Roboform until it would no longer work with newer versions of browsers. I pleaded with Roboform to honor Lifetime Licenses for those of us who had supported them early in the game, and referred many other customers, and to charge the annual fees to their new users as they came on board. I received a pretty derogatory reply. I decided that if they couldn't be trusted to honor the terms which they had initiated, I didn't want to trust them with my sensitive information. Character matters. I've been a very happy and loyal Lastpass user for several years now!

Thanks, Rui, and everyone else for an informative discussion. Never having used a password manager, I'm finding this a good introduction, and I'm strongly considering using Last Pass.

The group also should be proud that the comments have been on topic and courteous. No one has told anyone else that they're full of feces or a complete dumb a--.

I confess I was rather skeptical of using password managers. I always thought I could manage all my passwords through my own password creating algorithm, but as the number of sites used increased, that became a lot harder. I now use much longer and safer passwords and with LastPass's other features, I keep some relevant info safer, too. If you get a good password manager, you will soon find out how useful it can be and probably even wonder how you could have done without it for so long .

I started using Roboform last year, somewhat hesitantly, after first trying a freeware password mgr whose name I forget. I now use it all the time. I do have some issues/questions.

It seems that all PMs have problems with multipage logins. There are workarounds but they don't always work. On some sites, or where a site has multiple ways of getting to log in, Roboform may think it's got the page right but enter data in the wrong place. Then I have to find a login page that matches what R-f can handle.

Another issue I have specifically with R-f is that the individual pw files, while encrypted, have plain text names. Anyone who got a directory list of my hard drive would have a very complete list of every bank, stock broker, and website I visit. Roboform says this is not going to change. The only workaround is to name each password with something unintelligible, but then I have to remember that, say, MLZPK is Chase Bank and OpenDoors is really Windows Secrets.

I have the version of Roboform that I can sync to my iPhone. I haven't tried it yet. For one thing, I am very skeptical of the security of anything on the iPhone. Beyond that, R-f does not allow simply copying the password files from a PC to the iPhone. It requires going through their servers. Until now, I have totally avoided putting any important data "in the cloud." Too many stories of server breaches.

The saving grace of Roboform is that one does not send unencrypted files to R-f servers, not even over SSL. (Let's not talk about Heartbleed.) The pw files are encrypted locally, saved that way on R-f servers, and downloaded to the iPhone in the original, encrypted form. In theory, even if some bad guys or some government had access to R-f's servers, all they'd get is my encrypted pw files. On this basis, I am considering using this feature. On the other hand, they'd also get the complete list of all my banks, etc. (see above) This could be used in social engineering attacks.

Let's generously call multipage logins a work-in-progress. You are correct that they are a pain to work with.

If someone has access to a complete directory listing of your PC you've got big, big problem. Even so, if you use strong credentials you should not be completely vulnerable. If you have a RoboForm Everywhere subscription you can use a copy of RoboForm to-go which is RoboForm on a thumb drive. Your credentials are stored on the thumb drive. That way none of the password data would reside on the PC.

Good comments, Joe. In theory, I assume if someone gets my hard drive they will at least be slowed down with all my data folders on my D: partition in EFS.

I guess the worry about the file list of password files is if someone breaks into Roboform's servers. But as you say, with strong credentials on all my financial websites, maybe it's not something to worry about.

I guess I am not ready to give up the convenience of having Roboform on my PC.

One of my backups is an Ironkey usb drive. I have not gotten Roboform Anywhere to work on it. However, the IK has a built-in Firefox browser, connection to VPN servers, and an autologon. It doesn't work as well as Roboform on some website, but it does work. I think it is about as secure as I can hope for.